This is an automated email from the ASF dual-hosted git repository.
robertlazarski pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
The following commit(s) were added to refs/heads/master by this push:
new c4371bf8 RAMPART-432 Add a client and server way to set the WSS4J
param disableBSPEnforcement. I need community help on a unit test, or more time
to figure out one in a subsequent release
c4371bf8 is described below
commit c4371bf8b187086b56fd92dafa54ab15a246e067
Author: Robert Lazarski <robertlazar...@gmail.com>
AuthorDate: Wed Oct 30 05:22:31 2024 -1000
RAMPART-432 Add a client and server way to set the WSS4J param
disableBSPEnforcement. I need community help on a unit test, or more time to
figure out one in a subsequent release
---
.../src/main/java/org/apache/rampart/RampartEngine.java | 8 ++++++--
.../main/java/org/apache/rampart/RampartMessageData.java | 2 ++
.../org/apache/rampart/handler/CertificateValidator.java | 8 +++++---
.../rampart/policy/builders/RampartConfigBuilder.java | 6 ++++++
.../org/apache/rampart/policy/model/RampartConfig.java | 16 ++++++++++++++++
.../org/apache/rampart/saml/SAML1AssertionHandler.java | 5 ++---
.../org/apache/rampart/saml/SAML2AssertionHandler.java | 5 ++---
.../org/apache/rampart/saml/SAMLAssertionHandler.java | 3 ++-
.../src/main/java/org/apache/rahas/RahasConstants.java | 2 ++
.../src/main/java/org/apache/rahas/client/STSClient.java | 6 +++++-
.../main/java/org/apache/rahas/impl/util/CommonUtil.java | 3 ++-
.../main/java/org/apache/rahas/impl/util/SAML2Utils.java | 8 ++++----
.../java/org/apache/rahas/impl/SAML2TokenIssuerTest.java | 1 -
.../java/org/apache/rahas/impl/util/CommonUtilTest.java | 6 +++++-
14 files changed, 59 insertions(+), 20 deletions(-)
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
b/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
index 2ba5b4f8..e5bee768 100644
--- a/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
@@ -276,8 +276,7 @@ public class RampartEngine {
Date.from(samlAssertionHandler.getDateNotBefore()),
Date.from(samlAssertionHandler.getDateNotOnOrAfter()));
- token.setSecret(samlAssertionHandler.
-
getAssertionKeyInfoSecret(signatureCrypto, tokenCallbackHandler));
+
token.setSecret(samlAssertionHandler.getAssertionKeyInfoSecret(signatureCrypto,
tokenCallbackHandler,
Boolean.parseBoolean(rampartConfig.getDisableBSPEnforcement())));
store.add(token);
}
} catch (Exception e) {
@@ -386,6 +385,11 @@ public class RampartEngine {
requestData.setCallbackHandler(tokenCallbackHandler);
requestData.setAllowRSA15KeyTransportAlgorithm(true); //
backward compatibility
requestData.setValidateSamlSubjectConfirmation(false); //
backward compatibility
+
+ RampartConfig rampartConfig = rpd.getRampartConfig();
+ if (rampartConfig != null) {
+
requestData.setDisableBSPEnforcement(Boolean.parseBoolean(rampartConfig.getDisableBSPEnforcement()));
// WSS4J
+ }
//wss4j does not allow username tokens with no password per
default, see https://issues.apache.org/jira/browse/WSS-420
//configure it to allow them explicitly if at least one
username token assertion with no password requirement is found
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
b/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
index 71cac78d..99eba6af 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
@@ -360,11 +360,13 @@ public class RampartMessageData {
.getRampartConfig().isDefaultTimestampPrecisionInMs();
boolean timestampStrict =
this.policyData.getRampartConfig().isTimeStampStrict();
+ boolean disableBSPEnforcement =
Boolean.parseBoolean(this.policyData.getRampartConfig().getDisableBSPEnforcement());
// We do not need earlier logic as now WSS4J returns a new
instance of WSSConfig, rather
// than a singleton instance. Therefore modifying logic as
follows,
requestData.setTimeStampStrict(timestampStrict);
requestData.setPrecisionInMilliSeconds(timestampPrecisionInMilliseconds);
+ requestData.setDisableBSPEnforcement(disableBSPEnforcement);
// WSS4J
}
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/handler/CertificateValidator.java
b/modules/rampart-core/src/main/java/org/apache/rampart/handler/CertificateValidator.java
index b759bf3e..60cde2ee 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/handler/CertificateValidator.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/handler/CertificateValidator.java
@@ -36,14 +36,16 @@ public class CertificateValidator extends
SignatureTrustValidator {
* Checks the validity of the given certificate. For more info see
SignatureTrustValidator.verifyTrustInCert.
* @param certificate Certificate to be validated.
* @param signatureCrypto Signature crypto instance.
+ * @param disableBSPEnforcement Disable WSS4J feature
* @return true if certificate used in signature is valid. False if it is
not valid.
* @throws WSSecurityException If an error occurred while trying to access
Crypto and Certificate properties.
*/
- boolean validateCertificate(X509Certificate certificate, Crypto
signatureCrypto) throws WSSecurityException {
+ boolean validateCertificate(X509Certificate certificate, Crypto
signatureCrypto, boolean disableBSPEnforcement) throws WSSecurityException {
X509Certificate[] x509certs = new X509Certificate[1];
x509certs[0] = certificate;
- // [ERROR]
/home/rlapache/axis-axis2-java-rampart/modules/rampart-core/src/main/java/org/apache/rampart/handler/CertificateValidator.java:[45,34]
incompatible types: void cannot be converted to boolean
- verifyTrustInCerts(x509certs, signatureCrypto, new RequestData(),
false);
+ RequestData requestData = new RequestData();
+ requestData.setDisableBSPEnforcement(disableBSPEnforcement); // WSS4J
+ verifyTrustInCerts(x509certs, signatureCrypto, requestData, false);
return false;
}
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
index edce4cdb..627a684e 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
@@ -171,6 +171,12 @@ public class RampartConfigBuilder implements
AssertionBuilder<OMElement> {
rampartConfig.setTimeStampStrict(childElement.getText().trim());
}
+ childElement = element.getFirstChildWithName(new QName(
+ RampartConfig.NS, RampartConfig.DISABLE_BSP_ENFORCEMENT_LN));
+ if (childElement != null) {
+
rampartConfig.setDisableBSPEnforcement(childElement.getText().trim());
+ }
+
return rampartConfig;
}
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
index 314ed9cd..759d96cd 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
@@ -40,6 +40,7 @@ import javax.xml.stream.XMLStreamWriter;
* <ramp:timestampMaxSkew>0</ramp:timestampMaxSkew>
*
<ramp:tokenStoreClass>org.apache.rahas.StorageImpl</ramp:tokenStoreClass>
*
<ramp:nonceLifeTime>org.apache.rahas.StorageImpl</ramp:nonceLifeTime>
+ * <ramp:disableBSPEnforcement>false</ramp:disableBSPEnforcement>
*
* <ramp:signatureCrypto>
* <ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
@@ -77,6 +78,8 @@ public class RampartConfig implements Assertion {
public final static String RAMPART_CONFIG_LN = "RampartConfig";
public final static String USER_LN = "user";
+
+ public final static String DISABLE_BSP_ENFORCEMENT_LN =
"disableBSPEnforcement";
public final static String USER_CERT_ALIAS_LN = "userCertAlias";
@@ -130,6 +133,8 @@ public class RampartConfig implements Assertion {
private String rampartConfigCbClass;
+ private String disableBSPEnforcement;
+
private CryptoConfig sigCryptoConfig;
private CryptoConfig encrCryptoConfig;
@@ -277,6 +282,17 @@ public class RampartConfig implements Assertion {
this.userCertAlias = userCertAlias;
}
+ public String getDisableBSPEnforcement() {
+ if (disableBSPEnforcement == null) {
+ return "false";
+ }
+ return disableBSPEnforcement;
+ }
+
+ public void setDisableBSPEnforcement(String disableBSPEnforcement) {
+ this.disableBSPEnforcement = disableBSPEnforcement;
+ }
+
public QName getName() {
return new QName(NS, RAMPART_CONFIG_LN);
}
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/saml/SAML1AssertionHandler.java
b/modules/rampart-core/src/main/java/org/apache/rampart/saml/SAML1AssertionHandler.java
index c07960cd..f73466c0 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/saml/SAML1AssertionHandler.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/saml/SAML1AssertionHandler.java
@@ -68,15 +68,14 @@ public class SAML1AssertionHandler extends
SAMLAssertionHandler{
}
@Override
- public byte[] getAssertionKeyInfoSecret(Crypto signatureCrypto,
TokenCallbackHandler tokenCallbackHandler)
- throws WSSecurityException {
+ public byte[] getAssertionKeyInfoSecret(Crypto signatureCrypto,
TokenCallbackHandler tokenCallbackHandler, boolean disableBSPEnforcement)
throws WSSecurityException {
RequestData requestData = new RequestData();
requestData.setCallbackHandler(tokenCallbackHandler);
requestData.setSigVerCrypto(signatureCrypto);
+ requestData.setDisableBSPEnforcement(disableBSPEnforcement); // WSS4J
WSDocInfo docInfo = new
WSDocInfo(assertion.getDOM().getOwnerDocument()); // TODO Improve ..
-
// TODO change this to use SAMLAssertion parameter once wss4j
conversion is done ....
SAMLKeyInfo samlKi = SAMLUtil.getCredentialFromSubject(assertion, new
WSSSAMLKeyInfoProcessor(requestData), signatureCrypto);
return samlKi.getSecret();
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/saml/SAML2AssertionHandler.java
b/modules/rampart-core/src/main/java/org/apache/rampart/saml/SAML2AssertionHandler.java
index ceeaa591..948ad7aa 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/saml/SAML2AssertionHandler.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/saml/SAML2AssertionHandler.java
@@ -88,11 +88,10 @@ public class SAML2AssertionHandler extends
SAMLAssertionHandler{
}
- public byte[] getAssertionKeyInfoSecret(Crypto signatureCrypto,
TokenCallbackHandler tokenCallbackHandler)
- throws WSSecurityException {
+ public byte[] getAssertionKeyInfoSecret(Crypto signatureCrypto,
TokenCallbackHandler tokenCallbackHandler, boolean disableBSPEnforcement)
throws WSSecurityException {
// TODO : SAML2KeyInfo element needs to be moved to WSS4J.
SAML2KeyInfo saml2KeyInfo = SAML2Utils.
- getSAML2KeyInfo(assertion, signatureCrypto,
tokenCallbackHandler);
+ getSAML2KeyInfo(assertion, signatureCrypto,
tokenCallbackHandler, disableBSPEnforcement);
return saml2KeyInfo.getSecret();
}
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/saml/SAMLAssertionHandler.java
b/modules/rampart-core/src/main/java/org/apache/rampart/saml/SAMLAssertionHandler.java
index 6d3432a7..eca67b43 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/saml/SAMLAssertionHandler.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/saml/SAMLAssertionHandler.java
@@ -77,10 +77,11 @@ public abstract class SAMLAssertionHandler {
* Gets the secret in assertion.
* @param signatureCrypto Signature crypto info, private,public keys.
* @param tokenCallbackHandler The token callback class. TODO Why ?
+ * @param disableBSPEnforcement Pass the value to WSS4J when creating
RequestData
* @return Secret as a byte array
* @throws WSSecurityException If an error occurred while validating the
signature.
*/
- public abstract byte[] getAssertionKeyInfoSecret(Crypto signatureCrypto,
TokenCallbackHandler tokenCallbackHandler)
+ public abstract byte[] getAssertionKeyInfoSecret(Crypto signatureCrypto,
TokenCallbackHandler tokenCallbackHandler, boolean disableBSPEnforcement)
throws WSSecurityException;
/**
diff --git
a/modules/rampart-trust/src/main/java/org/apache/rahas/RahasConstants.java
b/modules/rampart-trust/src/main/java/org/apache/rahas/RahasConstants.java
index d9ddb994..3efead84 100644
--- a/modules/rampart-trust/src/main/java/org/apache/rahas/RahasConstants.java
+++ b/modules/rampart-trust/src/main/java/org/apache/rahas/RahasConstants.java
@@ -145,4 +145,6 @@ public class RahasConstants {
public static final String SAML_NS =
"urn:oasis:names:tc:SAML:1.0:assertion";
public static final String AUTHENTICATION_METHOD_PASSWORD =
"urn:oasis:names:tc:SAML:1.0:am:password";
+ // WSS4J, see RAMPART-432
+ public static final String DISABLE_BSP_ENFORCEMENT =
"disableBSPEnforcement";
}
diff --git
a/modules/rampart-trust/src/main/java/org/apache/rahas/client/STSClient.java
b/modules/rampart-trust/src/main/java/org/apache/rahas/client/STSClient.java
index 20303baa..84fe0a03 100644
--- a/modules/rampart-trust/src/main/java/org/apache/rahas/client/STSClient.java
+++ b/modules/rampart-trust/src/main/java/org/apache/rahas/client/STSClient.java
@@ -479,7 +479,11 @@ public class STSClient {
child.getXMLStreamReader()).getDocumentElement();
try {
- secret = CommonUtil.getDecryptedBytes(this.cbHandler,
this.crypto, domChild);
+ boolean disableBSPEnforcement = false;
+ if (this.options != null &&
this.options.getProperty(RahasConstants.DISABLE_BSP_ENFORCEMENT) != null) {
+ disableBSPEnforcement = Boolean.parseBoolean((String)
this.options.getProperty(RahasConstants.DISABLE_BSP_ENFORCEMENT));
+ }
+ secret = CommonUtil.getDecryptedBytes(this.cbHandler,
this.crypto, domChild, disableBSPEnforcement);
} catch (WSSecurityException e) {
log.error("Error decrypting encrypted key element", e);
throw new TrustException("errorInProcessingEncryptedKey",
e);
diff --git
a/modules/rampart-trust/src/main/java/org/apache/rahas/impl/util/CommonUtil.java
b/modules/rampart-trust/src/main/java/org/apache/rahas/impl/util/CommonUtil.java
index 73cc5535..25b4d487 100644
---
a/modules/rampart-trust/src/main/java/org/apache/rahas/impl/util/CommonUtil.java
+++
b/modules/rampart-trust/src/main/java/org/apache/rahas/impl/util/CommonUtil.java
@@ -151,7 +151,7 @@ public class CommonUtil {
* @return The secret as a byte stream.
* @throws WSSecurityException If an error is occurred while decrypting
the element.
*/
- public static byte[] getDecryptedBytes(CallbackHandler callbackHandler,
Crypto crypto, Node encryptedKeyElement)
+ public static byte[] getDecryptedBytes(CallbackHandler callbackHandler,
Crypto crypto, Node encryptedKeyElement, boolean disableBSPEnforcement)
throws WSSecurityException {
EncryptedKeyProcessor encryptedKeyProcessor = new
EncryptedKeyProcessor();
@@ -159,6 +159,7 @@ public class CommonUtil {
RequestData requestData = new RequestData();
requestData.setCallbackHandler(callbackHandler);
requestData.setDecCrypto(crypto);
+ requestData.setDisableBSPEnforcement(disableBSPEnforcement);
final WSSConfig cfg = WSSConfig.getNewInstance();
requestData.setWssConfig(cfg);
diff --git
a/modules/rampart-trust/src/main/java/org/apache/rahas/impl/util/SAML2Utils.java
b/modules/rampart-trust/src/main/java/org/apache/rahas/impl/util/SAML2Utils.java
index eb65ab13..6b89f300 100644
---
a/modules/rampart-trust/src/main/java/org/apache/rahas/impl/util/SAML2Utils.java
+++
b/modules/rampart-trust/src/main/java/org/apache/rahas/impl/util/SAML2Utils.java
@@ -103,7 +103,7 @@ public class SAML2Utils {
*
*/
public static SAML2KeyInfo getSAML2KeyInfo(Element elem, Crypto crypto,
- CallbackHandler cb) throws
WSSecurityException {
+ CallbackHandler cb, boolean
disableBSPEnforcement) throws WSSecurityException {
Assertion assertion;
//build the assertion by unmarhalling the DOM element.
@@ -139,12 +139,12 @@ public class SAML2Utils {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE, e, "Failure in
unmarshelling the assertion");
}
- return getSAML2KeyInfo(assertion, crypto, cb);
+ return getSAML2KeyInfo(assertion, crypto, cb, disableBSPEnforcement);
}
public static SAML2KeyInfo getSAML2KeyInfo(Assertion assertion, Crypto
crypto,
- CallbackHandler cb) throws
WSSecurityException {
+ CallbackHandler cb, boolean
disableBSPEnforcement) throws WSSecurityException {
//First ask the cb whether it can provide the secret
WSPasswordCallback pwcb = new WSPasswordCallback(assertion.getID(),
WSPasswordCallback.CUSTOM_TOKEN);
@@ -232,7 +232,7 @@ public class SAML2Utils {
QName el = new QName(child.getNamespaceURI(),
child.getLocalName());
if (el.equals(WSConstants.ENCRYPTED_KEY)) {
- byte[] secret = CommonUtil.getDecryptedBytes(cb,
crypto, child);
+ byte[] secret = CommonUtil.getDecryptedBytes(cb,
crypto, child, disableBSPEnforcement);
return new SAML2KeyInfo(assertion, secret);
} else if (el.equals(new QName(WSConstants.WST_NS,
"BinarySecret"))) {
diff --git
a/modules/rampart-trust/src/test/java/org/apache/rahas/impl/SAML2TokenIssuerTest.java
b/modules/rampart-trust/src/test/java/org/apache/rahas/impl/SAML2TokenIssuerTest.java
index 78dab4e3..3e682f38 100644
---
a/modules/rampart-trust/src/test/java/org/apache/rahas/impl/SAML2TokenIssuerTest.java
+++
b/modules/rampart-trust/src/test/java/org/apache/rahas/impl/SAML2TokenIssuerTest.java
@@ -25,7 +25,6 @@ import org.apache.axis2.context.MessageContext;
import org.apache.rahas.RahasConstants;
import org.apache.rahas.RahasData;
import org.apache.rahas.Token;
-import org.apache.rahas.client.STSClient;
import org.apache.rahas.test.util.AbstractTestCase;
import org.apache.rahas.test.util.TestSTSClient;
import org.apache.rahas.test.util.TestUtil;
diff --git
a/modules/rampart-trust/src/test/java/org/apache/rahas/impl/util/CommonUtilTest.java
b/modules/rampart-trust/src/test/java/org/apache/rahas/impl/util/CommonUtilTest.java
index 93b008b6..877f6b69 100644
---
a/modules/rampart-trust/src/test/java/org/apache/rahas/impl/util/CommonUtilTest.java
+++
b/modules/rampart-trust/src/test/java/org/apache/rahas/impl/util/CommonUtilTest.java
@@ -204,10 +204,14 @@ public class CommonUtilTest extends AbstractTestCase {
Element element = builder.getEncryptedKeyElement();
- byte[] decryptedKey = CommonUtil.getDecryptedBytes(new
TestCallbackHandler(), TestUtil.getCrypto(), element);
+ byte[] decryptedKey = CommonUtil.getDecryptedBytes(new
TestCallbackHandler(), TestUtil.getCrypto(), element, false);
Assert.assertTrue(Arrays.equals(ephemeralKey, decryptedKey));
+ // FIXME - need a test case for disabling BSP compliance on WSS4J
+ // byte[] decryptedKey2 = CommonUtil.getDecryptedBytes(new
TestCallbackHandler(), TestUtil.getCrypto(), element, true);
+ // Assert.assertTrue(Arrays.equals(ephemeralKey, decryptedKey2));
+
}
public void testGetSymmetricKeyBasedKeyInfo() throws Exception {
